Covert Redirect security vulnerability found in OAuth and OpenID

Covert Redirect vulnerability is the security flaw in the open standards for authorization OAuth and OpenID that is menacing IT industry.

Another security flaw in the open standards for authorization OAuth and OpenID is scaring IT industry. Just a few weeks after the disclosure of the Heartbleed vulnerability, another major flaw was discovered in the open security standard practically everywhere, principal web services including Microsoft, Google, Facebook and LinkedIn implements the popular standard to all user authentication to their platforms.

“Given the trust users put in Facebook and other major OAuth providers I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service,” said Wsyopal.

The discovery was made by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, the expert has noticed that the critical “Covert Redirect” vulnerability can masquerade as a login popup based on an affected site’s domain.

“The name Covert Redirect is derived from and to contrast with the existing vulnerability Open Redirect. An Open Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT ANY validation (OWASP). If a website is exposed to Open Redirect attack, it is often because of its own negligence.” reports the student in the post.

The exploitation of the Covert Redirect flaw allows an attacker to implement an insidious technique to deceive users and steal their credentials. If the victim clicks on a malicious phishing link he will get a popup window on Facebook, asking him to authorize the app. Instead of using a fake domain name that’s similar to the one requested by the user, the Covert Redirect flaw uses the real site address for authentication.

If the victim authorizes the login, personal data used by the specific website are redirected to the attacker instead of to the legitimate web service. Sensitive information, depending on the range of data requested by the web service, including email addresses, birth dates and contact lists are provided to the attacker.

Even if the victim doesn’t authorize the app, he will redirected to a website controlled by the attacker which could be anyway used to serve a malware.

Wang has already reported the Covert Redirect vulnerability to Facebook, but the answer let us perplexed:

“understood the risks associated with OAuth 2.0,” and that “short of forcing every single application on the platform to use a whitelist,” fixing this bug was “something that can’t be accomplished in the short term.” replied Facebook.

Wang also informed Google, LinkedIn and Microsoft, who provided various responses to mitigate the flaw, they basically know of the existence of the Covert Redirect flaw and will soon release detailed information on it.

“Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,” “However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.”said Wang.

To mitigate the Covert Redirect vulnerability it is suggested to the Users to carefully evaluate the possibility to authorize log in procedure to Facebook or Google simply clicking the links. The immediate closure of the tab should prevent any redirection attacks.

We cannot compare the severity of Covert Redirect vulnerability to the Heartbleedflaw, but it could be a serious error to underestimate it. Wang sustains that one of the main problem approaching the Covert Redirect flaw is to pretend that third-party sites will fix the problem.

To be honest, this isn’t the first time the flaw has been debated, Covert Redirect has surely a minor impact than Heartbleed, which could expose the most critical information.

Last year, Egor Homakov reported similar issues and the IETF outline on OAuth 2.0 warns about the risk associated with open redirects in the redirect_uri. Also LinkedIn company raised an alert regarding registering URIs earlier this year.

I believe that we are not facing with a vulnerability in the principal web services provided by companies like Google and Facebook problem, the problem is not in the OAuth 2.0 framework, but it is the lack of token whitelisting in its implementation made by third parties.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.